Your message dated Sun, 04 Mar 2018 15:02:08 +0000
with message-id <[email protected]>
and subject line Bug#884912: fixed in global 6.5.6-2+deb9u1
has caused the Debian Bug report #884912,
regarding global: CVE-2017-17531 possible command injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
884912: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884912
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: global
X-Debbugs-CC: [email protected]
[email protected]
Severity: important
Tags: security
Hi,
the following vulnerability was published for global.
CVE-2017-17531[0]:
| gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before
| launching the program specified by the BROWSER environment variable,
| which might allow remote attackers to conduct argument-injection
| attacks via a crafted URL.
This boils down to this part of the code:
https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/?hl=281:283#L281
snprintf(com, sizeof(com), "%s \"%s\"", browser, strbuf_value(URL));
system(com);
I'm not quite sure where the URL can come from, but assuming that someone
malicious can inject bad URL up to this code, then there's a posssibility of
command injection when the URL contains shell meta-characters (think «
http://foo/";command;"; » or « http://foo$(command)/ »).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531
Please adjust the affected versions in the BTS as needed.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---
Source: global
Source-Version: 6.5.6-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
global, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Punit Agrawal <[email protected]> (supplier of updated global package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jan 2018 21:41:34 +0000
Source: global
Binary: global
Architecture: source amd64
Version: 6.5.6-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Wookey <[email protected]>
Changed-By: Punit Agrawal <[email protected]>
Description:
global - Source code search and browse tools
Closes: 884912
Changes:
global (6.5.6-2+deb9u1) stretch; urgency=medium
.
* Backport fix for CVE-2017-17531 from 6.6.1 (Closes: #884912)
Checksums-Sha1:
7d42676d0e37bccf9b352fc7b7ee31a6560dd42f 2012 global_6.5.6-2+deb9u1.dsc
762761a30458df7dcead3cdc1eff126f39adc66e 11192
global_6.5.6-2+deb9u1.debian.tar.xz
a2b841d160b87776085479bc263689799ed9026b 1019918
global-dbgsym_6.5.6-2+deb9u1_amd64.deb
3565a17ae548d2392167fdf8f4ff02847345d0d5 6452
global_6.5.6-2+deb9u1_amd64.buildinfo
e8d5d2978676ec6de7087e025908c5cabc70b006 465684 global_6.5.6-2+deb9u1_amd64.deb
Checksums-Sha256:
6021e9fa722b8ab9de1db6c7970c1eab5e8235983323dfe0ceae5b43f05852b2 2012
global_6.5.6-2+deb9u1.dsc
3ca01eee709e15c5400c014104607fc33cc90b67f79ceef90a8a6a26ab194c82 11192
global_6.5.6-2+deb9u1.debian.tar.xz
3aa0494436a01b58ca577962c34cb472d20897c9a8c31b6c8d7f13c122230e56 1019918
global-dbgsym_6.5.6-2+deb9u1_amd64.deb
d8e8fa3d693caf81d68f054e12b192f00a7452954e460c03682b5aa7bc8f668e 6452
global_6.5.6-2+deb9u1_amd64.buildinfo
3c8b6ba5adb3155fa63dd36b22b029137e0eacdf3c6c3e8b7bf3bb3b2cc31539 465684
global_6.5.6-2+deb9u1_amd64.deb
Files:
52e0cb1485e326029d5d9aeb0f6b18a5 2012 devel optional global_6.5.6-2+deb9u1.dsc
11393b2211f2f34190c6314e632f9df5 11192 devel optional
global_6.5.6-2+deb9u1.debian.tar.xz
f41d2ed863c28f3e070eb1141b788237 1019918 debug extra
global-dbgsym_6.5.6-2+deb9u1_amd64.deb
761f83fbca2cb691e7e76b844e887658 6452 devel optional
global_6.5.6-2+deb9u1_amd64.buildinfo
e4086022f8b8aad003a0e2d1d26714ef 465684 devel optional
global_6.5.6-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEvZ5M7BP8NElWggdO9Tkv0hP7/t0FAlqbCQIRHHB1bml0QGRl
Ymlhbi5vcmcACgkQ9Tkv0hP7/t0flQ/8Di7NHWt9rYsfTj6STzGg7zY+SL1LHvbC
esIlEl+7K7pNHISZgZ/AE/BpDowPEA9Om0PnuTdoTtm6O3xP/k5KCdP8bABldZZ0
oz5aaqXpUEH72d2DeiTZQGbPgwwbE8mqAhLgYOC/IQtzMH8MTdHGdbpOUYRyfesC
EvBEnJAmm0eYc+vx0CAAvBVvsndpdanAeYI9ChVrVGsnDR7oGXchuuDdYlLd5650
r2zV+gdXBhiBFGqEhAcRvUwywPKUbBjZYqGZSHla/F3d+dht3S/HsOtv7zrSp2bn
d7acwtnCPs1Ly8omYd1cDEzytF5+nLR5ffddmxk1fV2nftyhNU6INEmURC1wTi5N
WvJtjOQAVFTaclet1wJU/u1ZjEEhQnOyKPYRJ1z0OzlnlGSrX+/gTjqUCvy8fEBg
p+t7MtFPjuGS8KHjH/+rtcTRcUUvTsXm6qrqG4bZQ/EsEUvP4VQVOTf6XMvrFNAZ
JcMFibi19lkhGMhLr556VkDDyXtRnQ0EnMpz+qhZSdx4kEayrlbvj0Xe067SmWN+
a26Zxl9rSspz1UfvTnBLIGu23zllygY/C3JL/9jO8rYw8W16wZLNm+i+0UhbAqFT
UQEmPS+X9RQmwWJ9S5WM7IPV2tp62cA2qPYUM1NOgVgPGTmswJ9EE8JdSefzOI+s
9dFY7ahQ2Kk=
=5n1B
-----END PGP SIGNATURE-----
--- End Message ---
